CVE-2025-0714

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-0714
The vulnerability exists in the password storage of Mobateks MobaXterm in versions below 25.0. MobaXTerm uses an initialisation vector (IV) consisting only of zero bytes and a master key to encrypt each password individually. In the default configuration, on opening MobaXTerm, the user is prompted for their password. A derivative of the password is used as the master key. As both the master key and the IV are the same for each stored password, the AES CFB ciphertext depends only on the plaintext (the password). The static IV and master key make it easier to obtain sensitive information and to decrypt data when it is stored at rest.

6.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.0 / Impact : 4.0

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://www.cirosec.de/sa/sa-2024-012
Configurations

No configuration.

History

19 Feb 2025, 09:15

Type Values Removed Values Added
Summary
  • (es) La vulnerabilidad existía en el almacenamiento de contraseñas de MobaXterm de Mobatek en versiones anteriores a 25.0. MobaXTerm utiliza un vector de inicialización (IV) que se genera cifrando bytes nulos con un derivado de la clave maestra del usuario. Como la clave maestra es estática y AES ECB produce la misma salida con la misma entrada, el IV para AES CFB es siempre el mismo. El IV estático facilita la obtención de información confidencial y el descifrado de datos si estos se almacenan en reposo.
Summary (en) The vulnerability existed in the password storage of Mobateks MobaXterm below 25.0. MobaXTerm uses an initialization vector (IV) that is generated by encrypting null bytes with a derivate of the users master key. As both the master key is static, and AES ECB produces the same output with the same input the IV for AES CFB is always the same.The static IV makes it easier to obtain sensitive information and decrypt data if the data is stored at rest. (en) The vulnerability exists in the password storage of Mobateks MobaXterm in versions below 25.0. MobaXTerm uses an initialisation vector (IV) consisting only of zero bytes and a master key to encrypt each password individually. In the default configuration, on opening MobaXTerm, the user is prompted for their password. A derivative of the password is used as the master key. As both the master key and the IV are the same for each stored password, the AES CFB ciphertext depends only on the plaintext (the password). The static IV and master key make it easier to obtain sensitive information and to decrypt data when it is stored at rest.

17 Feb 2025, 12:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-02-17 12:15

Updated : 2025-02-19 09:15

NVD link : CVE-2025-0714

Mitre link : CVE-2025-0714

CVE.ORG link : CVE-2025-0714

JSON object : View

Products Affected

No product.

CWE
CWE-1204

Generation of Weak Initialization Vector (IV)